Skip to main content

Logging

Logging is important - we love logging.

Because of this, we have included an easy to find, follow and parse log output that provides an additional layer of visibility across your Knocknoc user activity, including logins, access grants, manual interactions, as well as Administrative/management operations.

Importantly, Knocknoc events include a string "KnocknocEvent" followed by a collection of relevant key/value pairs, which can be parsed out by your favourite log aggregator/SIEM, or easily searched through syslog.

For example:

KnocknocEvent=LoginUser User=demouser ip=1.2.3.4 UserType=local request_id=cv041e4nqrrqhd74hk4g uid=0194cebb-506f-7769-bd65-b57b9bc3a4c0

KnocknocEvent Event Additional data

LoginUserLoginAdmin

LogoutUser LogoutAdmin

Successful user/admin login

Successful user/admin logout

Username, IP Address, Auth type (eg: SAML, Local)

UID/internal user-id, request_ID for tracking linked events

CreateGrant 

ManualGrant

PortWalkGrant

Granting of access to users, via Agents

Manual (click to grant) interactions

Additional IPs discovered as part of port-walking

Username, IP Address, Auth type (eg: SAML, Local), UID, ACL Name, ACLID,  Request_ID

Any additional IPs in the case of PortWalkGrant

AllowlistRetrieved API-based AllowLists successfully retrieved by consumers, eg: firewalls polling EDLs ACL Name, IP Address (of consumer), ACLID, Format (txt/json), Request_ID
TOTPInvalid TOTPInvalidUser
TOTPValidAdmin TOTPValidUser

Invalid TOTP provided (on valid Password)

Valid TOTP provided

Note: local users only, does not appear from SAML.

Username, request_ID

Audit events for logging of system/data change:

 

CreateACL CreateAgent CreateApiKey CreateGrant CreateUser CreateAdmin CreateGroup CreateKnoc

DeleteACL DeleteAdmin DeleteAgent 

DeleteApiKey DeleteGroup DeleteKnoc DeleteUser

 

UpdateACL UpdateAdmin UpdateAgent 

UpdateApiKey UpdateGroup
 UpdateKnoc UpdateSettings UpdateUser

ResetAdminOTP ResetUserOTP

Create entities

Delete entities

Update entities

Reset TOTP for local users/admins

Includes related information, including:

Entity type (eg: user, agent, ACL, etc)

Entity name (eg: Bob User)

Performing user (eg: Jane Admin)

 

IP address, internal IDs, request_ID

These events are logged to Syslog for onward collection and parsing.

If you require additional logging you can manage the verbosity, however these logs are all by-default and on the 'info' verbosity level.

Some examples:

KnocknocEvent=LoginUser ip=1.2.3.4 UserName=dwight.schrute UserType=SAML request_id=xx uid=yy

KnocknocEvent=CreateGrant User=dwight.schrute ACL="Palo45" ip=1.2.3.4 ACLID=xx GrantID=yy UserType=SAML request_id=zz

KnocknocEvent=ManualGrant ACL="Fortinet8" UserName=dwight.schrute request_id=xx

KnocknocEvent=LogoutUser User=dwight.schrute UserType=SAML request_id=xx uid=yy

KnocknocEvent=AllowlistRetrieved ACL="SSH-NYC4" ip=1.2.3.4 aclID=xx format=txt request_id=yy

KnocknocEvent=LoginAdmin User=bob-admin ip=1.2.3.4 UserType=local request_id=xx uid=yy

KnocknocEvent=TOTPValidAdmin User=bob-admin request_id=xx

KnocknocEvent=UpdateSettings User=bob-admin request_id=xx

KnocknocEvent=LicenseKeyValidationSuccessful Expiry=2025-03-31T00:00:00Z SessionLimit=10 UserLimit=25

KnocknocEvent=CreateAgent User=bob-admin Agent={"ID":"0xx","Name":"rhel9-aws"} request_id=xx

KnocknocEvent=TOTPInvalid User=bob-admin request_id=xx